Darktrace Post‑Mortem: SQL Server Exploit & Autonomous Response

Key Takeaway

Darktrace identified every stage of the attack chain—from initial compromise through reconnaissance, lateral movement, and persistence—and demonstrated how autonomous response technology (Antigena) can proactively intervene to halt the attack early.

Summary

• Attack Context – Cyber‑exception: known attacks via SaaS/IoT; server‑side attacks remain serious. Target: Canadian financial institution with ~3,000 devices.
• Exploited unpatched CVE‑2020‑0618 (SQL Server Reporting Services) and CVE‑2020‑0613.
• Initial Compromise – Unknown attacker gained access via a VPN vulnerability (credential “parents”) and authenticated logging via NT‑LAN Manager (NTLM). Possible phishing prior to Darktrace deployment.
• Reconnaissance – Ten‑hour pass‑the‑hash activity using credential “parents”; scanned 80+ IPs over ports 443/445, leveraging SMBv1 to initiate sessions (79 successful).
• Later‑al Movement – Desktop initiated and controlled services on the SQL server (svcctl, DCE‑RPC). POST request exploited CVE‑2020‑0613 (deserialization issue) for remote code execution. Traffic detected via abnormal User‑Agent and connection anomalies.
• Command & Control – Attacker connected to SNMP server via VPN using “parents” RDP‑Cookie; downloaded encrypted data from Pastebin; maintained C2 via dropbox16.com on port 443.
• Persistence & Privilege Escalation – Created new user via SamrCreateUser2InDomain on the domain controller; 100 % anomaly score recorded.
• Autonomous Response (Antigena) – Hypothetical actions included port blocking during scans, pausing service control requests, and integrating firewall/NAC. These actions would have paralyzed reconnaissance and limited damage.
• Lessons Learned – Importance of access control for low‑privileged credentials, regular patch management (SMBv1, SQL Reporting Services), and awareness of dormancy periods.
• Deployment Lesson – After testing autonomous response, the company activated Antigena; Darktrace detected all phases and could have blocked critical connections if enabled.

Related Queries

Wie kann man SMBv1 in Unternehmensnetzwerken sicher deaktivieren?

Welche KI‑Ansätze erkennt typische Lateral‑Movement‑Muster bei SQL‑Server‑Exploit‑Aufrufen?

Was sind Best‑Practice‑Metriken für die Überwachung von Anomalien in Domain‑Controller‑Service‑Create‑Aufrufen?

Source: Darktrace Blog Post